RSS

Snyk Finds Prompt Injection in 36% of Payloads in a ToxicSkills Study

mooreds1 pts0 comments

Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise | SnykYou need to enable JavaScript to run this app.Skip to main content

Snyk Blog

In this article

Written by<br>Luca Beurer-Kellner

Aleksei Kudrinskii

Marco Milanta

Kristian Bonde Nielsen

Hemang Sarkar

Liran Tal

February 5, 2026<br>0 mins read<br>The first comprehensive security audit of the Agent Skills ecosystem reveals malware, credential theft, and prompt injection attacks targeting OpenClaw, Claude Code, and Cursor users<br>Agent skills are reusable capability packages that instruct AI agents how to interact with tools, APIs, or system resources—and they're rapidly becoming standard in AI-powered development. If you've installed one in the past month, there's a 13% chance it contains a critical security flaw and a non-zero chance it's actively exfiltrating your credentials right now. We refer to this research and detection framework collectively as "ToxicSkills"<br>Snyk security researchers have completed the first comprehensive security audit of the AI Agent Skills ecosystem, scanning 3,984 skills from ClawHub and skills.sh as of February 5th, 2026 - the largest publicly available corpus of agent skills currently known. The findings are stark: 13.4% of all skills, or 534 in total, all contain at least one critical-level security issue , including malware distribution, prompt injection attacks, and exposed secrets. Expand to any severity level, and over a third of the ecosystem is affected: 36.82% (1,467 skills) have at least one security flaw , from hardcoded API keys and insecure credential handling to dangerous third-party content exposure.<br>The Agent Skills ecosystem, which powers not just personal assistants like OpenClaw but coding agents like Claude Code and Cursor, has a supply chain security problem that mirrors the early days of npm and PyPI—except with unprecedented access to credentials, file systems, and APIs. Our detectors were intentionally tuned to minimize false positives on widely adopted legitimate skills; these numbers represent real risk, not scanner noise.<br>These findings span two categories: insecure or vulnerable skills that create exploitable attack surfaces, and intentionally malicious payloads designed to harm. Beyond the statistics, we confirmed active threats through HITL: 76 malicious payloads designed for credential theft, backdoor installation, and data exfiltration. From this small sample alone, 8 of these malicious skills remain publicly available on clawhub.ai as of publication. This isn't theoretical risk, it's an ecosystem already under attack.<br>The threat landscape: Agent Skills under attack<br>Explosive growth meets inadequate security and threatens agents of all kinds. The Agent Skills ecosystem is experiencing hypergrowth. Our data shows skills being published at an accelerating rate throughout 2026, with daily submissions jumping from under 50 in mid-January to over 500 by early February, a 10x increase in weeks.

This growth has attracted malicious actors. In February 2026, security researchers at OpenSourceMalware.com documented the first coordinated malware campaign targeting users of Claude Code and OpenClaw, using 30+ malicious skills distributed via ClawHub. Our research extends and deepens these findings, revealing that the attack is far broader than initially reported.<br>What makes Agent Skills dangerous<br>Unlike traditional packages that execute in isolated contexts, Agent Skills operate with the full permissions of the AI agent they extend. When you install a skill for OpenClaw, that skill inherits:<br>Shell access to your machine

Read/write permissions to your file system

Access to credentials stored in environment variables and config files

The ability to send messages via email, Slack, WhatsApp, and other channels

Persistent memory that survives across sessions

The barrier to publishing a new agent skill on ClawHub? A SKILL.md Markdown file and a GitHub account that's one week old. No code signing. No security review. No sandbox by default.<br>The bigger picture is that Agent Skills are a supply chain security concern with many striking parallels to those of language package ecosystems:<br>Package ecosystems (2015-2020)

Agent Skills (2026)

Typosquatting attacks

✓ Observed

Malicious maintainers

✓ Observed

Post-install scripts as an attack vector

✓ Skill "setup" instructions

But Agent Skills are worse in key ways:<br>Higher privilege by default : Skills inherit full agent permissions

Prompt injection has no analog : Natural language attacks evade code-based detection

Persistence through memory : Malicious skills can modify agent behavior permanently

The ecosystem is at an inflection point. The current state resembles early package managers before security became a first-class concern. The question is whether the community will learn from those hard lessons or repeat them.<br>Our methodology: Building a threat taxonomy<br>Based on automated...

skills agent security malicious ecosystem prompt

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.